The 5G Protocol May Still Be Vulnerable to IMSI Catchers

The 5G Protocol May Still Be Vulnerable to IMSI Catchers

It’s hard to talk about the vulnerabilities in cellular technology without increasing the amount of fear, uncertainty, and doubt. There is already much uncertainty around cell-site simulators (CSS, aka Stingrays), their capabilities, and how widely they are used. Partly this is because of the veil of secrecy that has surrounded the workings of commercial cell-site simulators thanks to the widespread use of non-disclosure agreements by the manufacturing companies like Rayzone and Harris Corporation. The privacy threats posed by CSSs are undoubtedly dire, but we need to keep our hypothesis about their capabilities and the scope of their use grounded in facts and research.

One good source for research about potential capabilities for cell site simulators has been academia. A number of fantastic papers explore vulnerabilities in 2G, 3G, and 4G which are potentially the same ones exploited by commercial CSSs.

The upcoming 5G protocol for cellular communications promised many improvements over the current 4G standard, including a claim that it would protect mobile users from cell-site simulators. But here’s the catch: new research suggests that it won’t. Researchers from ETH Zurich and Technische Universität Berlin have discovered that a flaw in the Authentication and Key Agreement (AKA) protocol (used in 3G, 4G, and the upcoming 5G standard) allows for a new privacy attack against all variants of the protocol.

The AKA protocol is the mechanism by which a phone and tower mutually verify each other’s authenticity and establish shared keys to protect future communications. Previous generations of the AKA protocol used in 3G and 4G have already been shown to be insufficient by some of the same researchers, who have demonstrated attacks exploiting information leaks allowing an attacker to derive the subscriber’s location. These attacks are likely the same ones used by newer generations of cell-site simulators that purportedly work natively on the 4G standard, such as the Hailstorm.

The standards body in charge of 5G—the 3rd Generation Partnership Project, or 3GPP—has improved AKA to mitigate those well-known privacy issues. However, the researchers say, they have been able to find a new vulnerability that affects all versions of the AKA, including in the upcoming 5G standard. And what's more, the researchers say that this new attack “breaches subscribers’ privacy more severely than known location privacy attacks do.”

The newly discovered vulnerability allows an attacker who can intercept mobile traffic in the area (meaning anyone with a software-defined radio costing around $500) to monitor individual subscriber activity, such as the number of outgoing calls or SMSs sent in a given amount of time (but not the metadata or contents of the messages.) On top of that, the technique can tell an attacker how many calls or text messages an individual victim sent even if the victim is not near the attacker when the calls or texts are sent. Instead, after the first time the victims enters the attack area and subsequently leaves the area, even past call and text activity would become vulnerable as soon as the victim and their device re-enters the attack area.

What’s even more troubling is this attack provides a new way to track a user’s location not just over 3G and 4G, but even over 5G. Location tracking seems to be the most common use for IMSI catchers by American law enforcement and this vulnerability could provide the next generation of CSSs with a way to track user location, even over 5G.

It’s important to keep in mind here that, for cases of lawful intervention from law enforcement agencies, there are better ways than this attack technique to get location information, such as getting a warrant and getting the information directly from the phone companies. People working outside the legal system, such as spies and criminals, cannot get warrants and cannot typically work directly with the phone companies. Law enforcement does not need the location-finding capabilities of an IMSI catcher unless they are trying to circumvent the legal system.

Of course, there are already known attacks that allow for tracking a mobile user’s location over 4G. However, this attack would continue to work even if the currently known vulnerabilities in 4G were fixed.

The researchers have notified members of the 5G standards body about their discovery and expect it to be fixed in the next iteration of the protocol.

Related Updates

San Francisco—The Electronic Frontier Foundation (EFF) today released a comprehensive report that identifies and explains the hidden technical methods and business practices companies use to collect and track our personal information from the minute we turn on our devices each day.Published on Cyber Monday, when millions of consumers are shopping...

BOSTON — The Electronic Frontier Foundation (EFF) and the ACLU today asked a federal court to rule without trial that the Department of Homeland Security violates the First and Fourth Amendments by searching travelers’ smartphones and laptops at airports and other U.S. ports of entry without a warrant.The request...

EFF and more than 100 civil society organizations across the globe wrote directly to Mark Zuckerberg recently demanding greater transparency and accountability for Facebook content moderation practices. A key step, we told Facebook, is implementation of a robust appeals process giving all users the power to challenge and...

San Francisco—The Electronic Frontier Foundation (EFF) launched a virtual reality (VR) experience on its website today that teaches people how to spot and understand the surveillance technologies police are increasingly using to spy on communities.“We are living in an age of surveillance, where hard-to-spot cameras capture our faces and...

On Wednesday, most cell phones in the US received a jarring alert at the same time. This was a test of the Wireless Emergency Alert (WEA) system, also commonly known as the Presidential Alert. This is an unblockable nationwide alert system which is operated by Federal Emergency Management Agency (*not*...

The Supreme Court should recognize and give teeth to the critical, privacy-protecting limitations Congress placed on wiretaps, EFF told the court in an amicus brief we filed with the National Association of Criminal Defense Lawyers. When law enforcement officials wiretap someone’s cell phone, the law doesn’t allow them...

Since first appearing on the streets of New York City in 2016, LinkNYC’s free public Wi-Fi kiosks have prompted controversy. The initial version of the kiosks’ privacy policy was particularly invasive: it allowed for LinkNYC to store personal browser history, time spent on a particular website, and lacked clarity...